docker-postfix/ansible-playbooks/forward.yml

- hosts: [forward]
  become: true
  vars:
    hostname: forward.example.com
    virtual_alias_domains:
    - example.co
    - example.com
    - example.info
    # docs recommend against whitelist
    tls_protocols: ['!SSLv2', '!SSLv3', '!TLSv1', '!TLSv1.1']
  tasks:
  - docker_network:
      name: mail
  - docker_volume:
      volume_name: postfix_config
    register: config_volume
  - docker_volume:
      volume_name: postfix_queue
    register: queue_volume
  - stat:
      path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}'
    register: config_volume_stat
  - name: create virtual alias map
    copy:
      # http://www.postfix.org/virtual.5.html
      content: |
        alice@example.co alice@gmail.com
        office@example.info alice@gmail.com
        bob@example.co bob@gmail.com
        bob@example.com bob@gmail.com
      dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/virtual'
      mode: u=r,g=,o=
      # workaround if userns remapping enabled
      # postmap: fatal: open /etc/postfix/virtual.db: Permission denied
      owner: '{{ config_volume_stat.stat.uid }}'
    register: virtual_alias_map
  - openssl_privatekey:
      path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem'
      type: RSA
      size: 4096
      owner: '{{ config_volume_stat.stat.uid }}'
      mode: o=r,g=,o=
  - openssl_csr:
      path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert-request.pem'
      privatekey_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem'
      common_name: '{{ hostname }}'
      subject_alt_name: ['DNS:{{ hostname }}']
      country_name: AT
      basic_constraints: ['CA:FALSE']
      basic_constraints_critical: yes
      digest: sha256
      mode: a=r
  - openssl_certificate:
      backup: yes
      path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert.pem'
      csr_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert-request.pem'
      privatekey_path: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem'
      provider: selfsigned
      mode: a=r
    register: smtpd_cert
  - name: postsrsd secrets volume
    docker_volume:
      volume_name: postsrsd_secrets
    register: postsrsd_secrets_volume
  - name: postsrsd secrets dir
    file:
      path: '{{ postsrsd_secrets_volume.ansible_facts.docker_volume.Mountpoint }}/secrets'
      state: directory
      # arbitrary user, see https://github.com/fphammerle/docker-postsrsd/blob/docker/0.1.1-postsrsd1.6-amd64/Dockerfile
      mode: a=rwx,+t
  - name: postsrsd
    docker_container:
      name: postsrsd
      # docker/0.1.1-postsrsd1.6-amd64
      image: fphammerle/postsrsd@sha256:486d79d63ce716994b7baca55172334aca525557e6609ee5864924040b6ad2d3
      networks: [name: mail]
      purge_networks: yes
      env:
        SRS_DOMAIN: '{{ hostname }}'
      volumes:
      - '{{ postsrsd_secrets_volume.ansible_facts.docker_volume.Mountpoint }}/secrets:/etc/postsrsd/secrets:rw'
      restart_policy: always
  - name: create config
    copy:
      content: |
        smtpd_tls_security_level = may
        smtpd_tls_cert_file=/smtpd-cert.pem
        smtpd_tls_key_file=/smtpd-key.pem
        smtpd_tls_protocols = {{ tls_protocols | join(', ') }}
        smtpd_tls_ciphers = high
        smtpd_tls_session_cache_database = btree:${data_directory}/smtpd-tls-session-cache
        # $myhostname prefix is a RFC requirement
        smtpd_banner = $myhostname ESMTP $mail_name quid agis?

        # http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
        smtpd_relay_restrictions = reject_non_fqdn_recipient, reject_unauth_destination
        mydestination =
        # http://www.postfix.org/VIRTUAL_README.html#virtual_alias
        virtual_alias_domains = {{ virtual_alias_domains | join(', ') }}
        virtual_alias_maps = hash:/etc/postfix/virtual

        # include TLS protocol & cipher in 'Received' header
        smtpd_tls_received_header = yes

        # bytes
        message_size_limit = {{ 32 * 1024 * 1024 }}
        delay_warning_time = 1h

        sender_canonical_maps = tcp:postsrsd:10001
        sender_canonical_classes = envelope_sender
        recipient_canonical_maps = tcp:postsrsd:10002
        recipient_canonical_classes= envelope_recipient,header_recipient

        smtp_tls_security_level = encrypt
        smtp_tls_mandatory_protocols = {{ tls_protocols | join(', ') }}
        smtp_tls_session_cache_database = btree:${data_directory}/smtp-tls-session-cache

        # http://www.postfix.org/MAILLOG_README.html
        maillog_file = /dev/stdout

        # http://www.postfix.org/COMPATIBILITY_README.html
        compatibility_level = 2
      dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf'
      # postfix: warning: not owned by root
      owner: '{{ config_volume_stat.stat.uid }}'
      mode: u=r,g=,o=
    register: config
  - name: postfix
    docker_container:
      name: postfix
      # 1.0.1-postfix3.4.5r0-amd64
      image: fphammerle/postfix@sha256:b2d214d66f1760bdcbfa3156efa7cb08cef5d80e5f6607e181f79fdde409b82d
      hostname: '{{ hostname }}'
      volumes:
      - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf:/etc/postfix/main.cf:ro'
      - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/virtual:/etc/postfix/virtual:ro'
      - '{{ queue_volume.ansible_facts.docker_volume.Mountpoint }}:/var/spool/postfix:rw'
      - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/key.pem:/smtpd-key.pem:ro'
      - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/cert.pem:/smtpd-cert.pem:ro'
      env:
        POSTMAP_PATHS: |
          /etc/postfix/virtual
      networks: [name: mail]
      purge_networks: yes
      published_ports: ['25:25']
      restart_policy: unless-stopped
      restart: '{{ config.changed or virtual_alias_map.changed or smtpd_cert.changed }}'
  - name: send test mail
    command: docker exec postfix sendmail check@ssl-tools.net
  - name: ssl-tools test url
    debug:
      msg: 'https://ssl-tools.net/mailservers/{{ hostname }}'